Adding a PDF manual document for users.

[pingpong.git] / packet-padding / timing_detection_vpn_padding.py

import argparse\r
import ipaddress\r
import socket\r
import unicodecsv as csv\r
\r
from scapy.all import *\r
\r
\r
def find_matches(pcap_file, router_wan_ip, sig_duration):\r
    # Read all packets into memory (stored as a list).\r
    # This is slow and consumes lots of memory.\r
    # There are more efficient ways to read the pcap (which clear each packet from memory after it's been processed).\r
    # However, to simplify the detection implementation we stick with the quick-and-dirty approach.\r
    pkts = rdpcap(pcap_file)\r
    # The potential signature matches, with the request packet as the first item of a tuple, and all possible reply\r
    # packets as the second item.\r
    matches = []\r
    for idx, p in enumerate(pkts):\r
        # Only consider IP traffic (note: this does not account for IPv6).\r
        if not IP in p:\r
            continue\r
        # Note: IP addresses are apparently stored in string form (odd)\r
        src = p[IP].src\r
        dst = p[IP].dst\r
        if src != router_wan_ip:\r
            # We are trying to find matches for a simple [C->S, S->C] signature, so we want to first identify an\r
            # outbound (router-to-cloud) packet and then subsequently find all potential reply packets (cloud-to-router)\r
            # If this is a cloud-to-router packet, it is of no interest to us at this stage, so move on.\r
            continue\r
        # TODO should we exclude all multicasts+broadcasts? They wouldn't occur and/or be tunneled?\r
        if ipaddress.ip_address(dst).is_multicast:\r
            # Don't include multicast traffic originating from the router in the results.\r
            continue\r
        # Find the set of potential reply packets for this request.\r
        replies = find_reply_pkts(router_wan_ip, pkts, idx, sig_duration)\r
        # Store packet index alongside packet so that we can provide packet numbers for post analysis.\r
        matches.append(((p, idx), replies))\r
    return matches\r
\r
\r
def find_reply_pkts(router_wan_ip, pkts, request_pkt_idx, sig_duration):\r
    request_pkt = pkts[request_pkt_idx]\r
    idx = request_pkt_idx + 1\r
    reply_pkts = []\r
    while idx < len(pkts) and pkts[idx].time - request_pkt.time <= sig_duration:\r
        pkt = pkts[idx]\r
        if is_inbound_ip_pkt(pkt, router_wan_ip):\r
            # Only count IP packets with router WAN IP as destination as potential replies to the request.\r
            # Store packet index alongside packet so that we can provide packet numbers for post analysis.\r
            reply_pkts.append((pkt, idx))\r
        idx += 1\r
    return reply_pkts\r
\r
\r
def is_inbound_ip_pkt(pkt, router_wan_ip):\r
    return IP in pkt and pkt[IP].dst == router_wan_ip\r
\r
\r
def write_matches_to_csv(matches, csv_filename):\r
    key_req_pkt = 'request_pkt'\r
    key_reply_pkts = 'reply_pkts'\r
    key_reply_pkts_count = 'number_of_reply_pkts'\r
    columns = [key_req_pkt, key_reply_pkts, key_reply_pkts_count]\r
    with open (csv_filename, 'wb') as csv_file:\r
        writer = csv.DictWriter(csv_file, fieldnames=columns)\r
        writer.writeheader()\r
        for m in matches:\r
            request_pkt = m[0][0]\r
            request_pkt_idx = m[0][1]\r
            # Wireshark packet numbers start from 1 (are not 0-based)\r
            request_pkt_num = request_pkt_idx + 1\r
            reply_pkts_numbers = []\r
            for (reply_pkt, reply_pkt_idx) in m[1]:\r
                reply_pkt_num = reply_pkt_idx + 1\r
                reply_pkts_numbers.append(reply_pkt_num)\r
            row = { key_req_pkt: request_pkt_num,\r
                    key_reply_pkts: '; '.join(str(pkt_num) for pkt_num in reply_pkts_numbers),\r
                    key_reply_pkts_count: len(reply_pkts_numbers) }\r
            writer.writerow(row)\r
\r
\r
if __name__ == '__main__':\r
    desc = 'Perform detection on traffic in a VPN tunnel where traffic is padded; ' + \\r
           'i.e., the detection is entirely based on timing information and packet directions. ' + \\r
            'NOTE: THIS CODE IS SIMPLIFIED AND ONLY WORKS FOR SIMPLE [Client-to-Server, Server-to-Client] TWO ' + \\r
            'PACKET SIGNATURES.'\r
    parser = argparse.ArgumentParser(description=desc)\r
    parser.add_argument('pcap_file', help='Full path to the target pcap file (detection target trace).')\r
    parser.add_argument('router_wan_ip', help='IP of WAN interface of the home router (in decimal format).')\r
    h = 'Duration of the signature ' + \\r
        '(max time between request and reply packet for the two packets to be considered a match). ' + \\r
        'Unit: seconds (floating point number expected).'\r
    parser.add_argument('signature_duration',\r
                        help=h, type=float)\r
    parser.add_argument('output_csv', help='Filename of CSV file where results are to be written.')\r
    args = parser.parse_args()\r
\r
    pcap_file = args.pcap_file\r
    router_wan_ip = args.router_wan_ip\r
    signature_duration = args.signature_duration\r
    output_csv = args.output_csv\r
    print('Parsed arguments:')\r
    print(f'pcap_file={pcap_file}')\r
    print(f'router_wan_ip={router_wan_ip}')\r
    print(f'signature_duration={signature_duration}')\r
    print(f'output_csv={output_csv}')\r
\r
    events = find_matches(pcap_file, router_wan_ip, signature_duration)\r
    # for e in events:\r
    #     request_pkt = e[0][0]\r
    #     request_pkt_num = e[0][1] + 1\r
    #     for (reply_pkt, reply_pkt_num) in e[1]:\r
    #         print(f"MATCH: Packet number {request_pkt_num} (request) with packet number {reply_pkt_num + 1} (reply).")\r
    write_matches_to_csv(events, output_csv)\r